Yubikey signing error

Just got a code-signing certificate that works with my Yubikey today from ssl.com. Tested with SignTool using /n to select the newly installed cert and it works.

Followed instructions to import a hardware-based key into my Signotaur server, gave it the Yubikey PIV library, it found and I selected the certificate, I typed in my PIN and saved. Copied the thumbprint to my batch file I had used in the past for the old certificate (which worked) and tried it.

Got an error saying that SHA384 was not supported so switched the --file-digest parameter to use SHA256; tried it again, now I get: “Failed to sign … Reason: An unknown result occurred…. Exit code: 130.”

How do I troubleshoot this?

Nevermind. I had switched the time server to use ssl.com but just tried switching it back to the one I had originally used with Signotaur (digicert) and it worked.

I could reproduce here - if I put https://ssl.com as the timestamp service - that is not the url for their timestamp service - use http://ts.ssl.com/

We do need to do better with the error message though, we’re looking into it.

Oh–duh! I knew that! I had used that in my signtool test! I just put that in and it works fine.